Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Somashekara_Hanumant
Staff & Editor
Staff & Editor

Created on ‎10-21-2019 07:04 AM Edited on ‎04-16-2025 11:40 PM By Moderator

Article Id 198574

Technical Tip: File Filter on WebFilter profile

Description

 

This article explains how to block file patterns on the Webfilter profile for inbound/outbound traffic.

 

Scope

 

FortiGate.

Solution

 

File Filter allows the Web Filter profile to block files passing through a FortiGate based on file type.

HTTP and FTP File Filtering is configurable in the Web Filter profile.

File Filtering in Web Filter profile is based on file type (file's meta data) only, and not on file size or file content.
Configure a DLP sensor to block files based on size or content, such as SSN numbers, credit card numbers, or regexp.

File filtering only works on proxy mode policies.

Configure the webfilter and enable the File Filter and select the file types are per the requirement and choose the correct protocol on which it is require to block, for which direction.

In the following example, three file filters are used in the Web Filter profile:

  • Block PDFs from entering or leaving the network (filter1).
  • Log the download of some graphics file-types via HTTP (filter2).
  • Block EXE files from leaving to the network over FTP (filter3).


To configure a file-type-based web filter in the CLI:

 

config webfilter profile
    edit "webfilter-file-filter"
        config file-filter
            set status enable
            set log enable
            set scan-archive-contents enable
                config entries
                    edit "filter1"
                        set comment "Block PDF files"
                        set protocol http ftp
                        set action block
                        set direction any
                        set encryption any
                        set file-type "pdf"
                    next
                    edit "filter2"
                        set comment "Log graphics files"
                        set protocol http
                        set action log
                        set direction incoming
                        set encryption any
                        set file-type "jpeg" "png" "gif"
                    next
                    edit "filter3"
                         set comment "Block upload of EXE files"
                         set protocol ftp
                         set action block
                         set direction outgoing
                         set encryption any
                         set file-type "exe"
                    next
                end
        end
    next
end

 

After configuring file filters in the Web Filter profile, apply it to a firewall policy using the following command:

 

config firewall policy
    edit 1
        set name "client-to-internet"
        set srcintf "dmz"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set utm-inspection-mode proxy
        set logtraffic all
        set webfilter profile "webfilter-filefilter"
        set profile-protocol-options "protocol"
        set ssl-ssh-profile "protocols"
        set nat enable
    next
end

 

To configure a file-type-based web filter in the GUI:

 

  1. Go to Security Profiles -> Web Filter
  2. Select 'Create New' or select an existing profile and select 'Edit'.

 
  1. Enable File Filter.
  2. Enable Log and Scan Archived Contents.
  3. In the File Filter table, click Create New.
  4. Configure the filters:

filter1 blocks PDFs from entering or leaving the network.

 

 
filter2 logs the download of some graphics file-types via HTTP.
 
 
filter3 blocks EXE files from leaving to the network over FTP.
 
 
Select OK.
Add the new web filter profile to a firewall policy.

Log examples.

File filter block action:
 
1: date=2019-03-19 time=09:42:15 logid="0346012673" type="utm" subtype="webfilter" eventtype="file_filter" level="warning" vd="vd1" eventtime=1548438135 policyid=1 sessionid=29449 srcip=10.1.100.22 srcport=52816 srcintf="dmz" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="wan1" dstintfrole="undefined" proto=6 service="HTTP" hostname="172.16.200.55" profile="webfilter-filefilter" action="blocked" reqtype="direct" url="/app_data/test1.pdf" sentbyte=0 rcvdbyte=0 direction="incoming" filename="test1.pdf" filtername="filter1" filetype="pdf" msg="File was blocked by file filter."
File filter log action:
2: date=2019-03-19 time=10:48:23 logid="0346012672" type="utm" subtype="webfilter" eventtype="file_filter" level="notice" vd="vd1" eventtime=1548442102 policyid=1 sessionid=521 srcip=10.1.100.22 srcport=52894 srcintf="dmz" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="wan1" dstintfrole="undefined" proto=6 service="HTTP" hostname="172.16.200.55" profile="webfilter-filefilter" action="passthrough" reqtype="direct" url="/app_data/park.jpg" sentbyte=0 rcvdbyte=0 direction="incoming" filename="park.jpg" filtername="filter2" filetype="jpeg" msg="File was detected by file filter."In the GUI:
 
Go to VDOM -> Log & Report -> Web Filter.
 

 

In newer version 6.4.1 and above, the File Filter profile has been moved to its own profile:

Technical Tip: Configuring file filter (standalone profile)

6806
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.